|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Date: Thu, 31 Mar 2005 11:27:06 +0100 (BST) From: "Stephen J. Wilcox" <steve@telecomplete.co.uk> To: Pekka Savola <pekkas@netcore.fi> Cc: John Kristoff <jtk@northwestern.edu>, <nanog@merit.edu> In-Reply-To: <Pine.LNX.4.61.0503310922350.12334@netcore.fi> Errors-To: owner-nanog@merit.edu On Thu, 31 Mar 2005, Pekka Savola wrote: > On Thu, 31 Mar 2005, Stephen J. Wilcox wrote: > > without wishing to repeat what can be googled for.. putting acls on your edge to > > protect your ebgp sessions wont work for obvious reasons -- to spoof data and > > disrupt a session you have to spoof the srcip which of course the acl will allow > > in > > This is why this helps for eBGP sessions only the peer is also protecting its > borders. I.e., if you know the peer's network has spoofing-prevention enabled, > nobody is able to spoof the srcip the peer uses. trusting a third party to protect your network is imho not best practice, in addition many networks may have considerable customers inside them making attacking from inside trivial Steve
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |